From b9da081a43556c5785bd79f1e2874d0c7c0ea50c Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Mon, 7 Jul 2025 22:41:53 +0000 Subject: [PATCH 1/2] fix: prevent XSS by using textContent instead of innerHTML for messages --- .../streaming/app/frontend/src/app/lives/play/play.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts index d2b0a7eea..99b863d68 100644 --- a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts +++ b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts @@ -120,7 +120,7 @@ export class PlayComponent implements OnInit { newMessageBox.appendChild(labelUserMessage); - contentMessage.innerHTML = message.content; + contentMessage.textContent = message.content; newMessageBox.appendChild(contentMessage); return newMessageBox; From edcd2775641c52e4bbe1e53e1ba72615230fe12d Mon Sep 17 00:00:00 2001 From: ZeroPath Date: Mon, 7 Jul 2025 22:42:25 +0000 Subject: [PATCH 2/2] fix: replace innerHTML with textContent to prevent XSS vulnerability --- .../streaming/app/frontend/src/app/lives/play/play.component.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts index 99b863d68..d14ba6e91 100644 --- a/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts +++ b/owasp-top10-2021-apps/a3/streaming/app/frontend/src/app/lives/play/play.component.ts @@ -104,7 +104,7 @@ export class PlayComponent implements OnInit { let usernameUserMessage = document.createElement("b"); usernameUserMessage.className = "user-message"; - usernameUserMessage.innerHTML = message.user.username; + usernameUserMessage.textContent = message.user.username; labelUserMessage.appendChild(usernameUserMessage);